Privacy Policy

EasyBoard is operated as an independent software service. For questions about your personal data, contact us at the address in Section 10 below. We are the data controller for all personal data described in this policy.

We collect only the data necessary to provide the Service:

• Email address — provided when you sign up or sign in. Used for authentication (magic links) and service communications.
• Dashboard and tile content — the metrics, counters, text, and other data you push to your dashboards via the API or the interface.
• API usage metadata — timestamps, HTTP methods, and endpoint paths of write operations. Used for rate limiting, abuse prevention, and aggregate platform analytics. No request body content is logged.
• Billing metadata — if you subscribe to Pro, we store your Lemon Squeezy subscription ID, status, renewal date, and the last four digits and brand of your payment card (for display only). Full card numbers are never stored — Lemon Squeezy is the Merchant of Record and processes all payment data under their own privacy policy.
• Session tokens (hashed) — a cryptographic hash of your session token is stored to keep you signed in for up to 30 days. The raw token is held only in your browser cookie and cannot be recovered from our database.

We do not collect IP addresses at the application layer. Infrastructure logs (including IP addresses) are managed by Railway — see Section 5.

If you are in the European Economic Area (EEA), we process your personal data under the following lawful bases:

• Contract performance (Art. 6(1)(b)) — processing your email address for authentication, storing your dashboard content, and managing your subscription are all necessary to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — API usage logging for rate limiting and abuse prevention; service-related email communications such as product updates, re-engagement, and feedback requests. You can object to this processing at any time (see Section 8).
• Legal obligation (Art. 6(1)(c)) — retaining anonymised audit records where required.

• Authenticating you via passwordless magic links.
• Displaying and updating your dashboards and tiles in real time.
• Enforcing plan limits and rate limits.
• Sending transactional emails (sign-in links, share notifications).
• Sending non-transactional emails (product updates, feedback requests, re-engagement) — you can opt out at any time via the unsubscribe link in any such email or through your account settings.
• Aggregate, anonymised analytics to understand how the platform is used.

We do not sell your data, profile you for advertising, or share your email with third parties for marketing.

We share personal data with the following sub-processors, each under a Data Processing Agreement, solely to provide the Service:

• Railway (US) — cloud hosting and PostgreSQL database. Infrastructure logs including IP addresses are retained per Railway's retention policy. See Railway Privacy Policy.
• Resend (US) — transactional email delivery. Your email address is transmitted to Resend to deliver sign-in links and other service emails. See Resend Privacy Policy.
• Lemon Squeezy (US) — payment processing and subscription management. As Merchant of Record, Lemon Squeezy independently controls billing and tax data. See Lemon Squeezy Privacy Policy.
• PostHog (US/EU, if analytics are enabled) — product analytics. Configured without persistent cookies or cross-session identifiers. No personally identifiable information is sent to PostHog. See PostHog Privacy Policy.

We use one first-party cookie:

• easyboard_session — an HttpOnly, SameSite=Lax session cookie containing a hashed authentication token. Expires after 30 days. Strictly necessary for signing in — no consent required.

PostHog analytics (if enabled) is configured with memory-only persistence, which means no analytics cookie or local-storage entry is written. No cookie consent banner is required for our analytics configuration.

• Active accounts — your data is retained for as long as your account is active.
• Free-plan inactive dashboards — dashboards on the free plan that have not received any updates for 30 consecutive days may be automatically deleted. This does not apply to Pro accounts.
• After account deletion — your email address and dashboard content are deleted. Email delivery logs are anonymised (the email address replaced with "[deleted]") and retained for operational audit purposes. API usage logs (counts and timestamps) are retained in anonymised form.
• Magic link tokens — expire after 15 minutes and are deleted immediately on use.
• Session tokens — expire after 30 days and are deleted on sign-out.

Depending on where you are located, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Portability — download your dashboard content in machine-readable JSON format via your account settings.
• Erasure — request deletion of your account and all associated personal data by contacting us at the address below.
• Rectification — contact us to correct any inaccurate data.
• Object to processing — opt out of non-transactional emails at any time using the unsubscribe link in any email, or via the toggle in your account settings.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise your rights, contact us at the address in Section 10. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.

We may update this policy from time to time. If we make material changes, we will notify you by email and update the effective date above. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

For privacy-related questions, data subject requests, or to exercise your rights, contact us at [email protected]. Please include "Privacy Request" in the subject line.